InfoLaw Update January 2013 (Part 1)
In this article, Lawyer Aimee Taylor looks at how website operators have addressed the issue of consent and how the ICO is currently dealing with non compliance.
With the introduction of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the rules in relation to cookies have completely changed from a system of "informed opt-out" to "prior, informed opt-in". In almost all cases consent is required where a cookie is to be set.
Following the entry into force of the cookies regulations, the Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period within which to comply. This grace period expired in May 2012. The ICO has recently reported the results of its encouragement to individuals to report their concerns about websites and how they dealt with cookies during this period. The figures quoted below are taken from the ICO’s report
In the period from 25 May 2012 to 21 November 2012, 550 reports were received. There were two main themes which ran throughout consumer complaints. The first was that users were largely unhappy with the implied consent mechanisms which were placed on the sites, in particular on those sites where cookies were placed immediately on entry. Secondly, people felt that they were not provided with a sufficient amount of information, in particular relating to how cookies could be declined or managed at a later date.
Of the 550 sites reported, over 50% of them (301) did not provide users with any information relating to cookies, compared to only 249 of them who did. A staggering 462 sites of the 550 surveyed did not ask for permission to place cookies, compared with only 88 that did.
In the period from 25 May 2012 and 06 September 2012, 388 concerns were received by the ICO relating to 207 websites. They carried out a visual audit of those sites and then wrote to 106 of them to ask them to take steps to ensure they were compliant with the regulations. Of those 106:
- 48 took no steps; and
- 1 could not be reviewed.
The Top 200
The ICO focused their attention on sites about which they had received at least one complaint which fell within the Top 200 most visited in the UK. Of those sites, which were within the jurisdiction, the ICO contacted them to seek compliance. Of those sites:
- 12 took limited steps which lead to the sites still not being compliant;
- 1 site did not take any steps; and
- 8 sites were based outside the UK.
Sites taking significant steps
The majority of sites which took significant steps, made use of a banner to gain implied consent from the site visitor. For example, the site http://www.moneysavingexpert.com uses a banner stating the following:
“We use ‘cookie’ files to help make your use of this site faster and easier. From this point, we’ll assume that you are happy to receive all cookies on MoneySavingExpert.com” along with a link to further information and how to change settings.
Some sites contain a lot more detail on their banner, such as http://www.channel4.com which states the following:
This is an example of a positive action being required of the user rather than relying on implied consent – the user is given the option to click a button and accept the terms.
Sites that have taken limited steps
Those sites which only took limited steps gave some information regarding cookies, but in a limited way. The information was usually not phrased in a way that seeks to obtain consent or it was difficult to find.
Sites that have not taken any steps
Sites based outside the UK
For those sites operating outside of the UK, the ICO passed information to the relevant authorities about the concerns which were submitted.
The role of the ICO going forward
The ICO has contacted 174 websites to date, and are considering 14 for further investigation. The ICO’s approach will be initially to make contact to discuss compliance with the site owners, and then require them to take the steps considered by the ICO to be necessary to remedy the failings the ICO has identified. Each time the ICO receives a complaint about a site it will continue to act in this way to protect consumers. As ever, the ICO intends to adopt a collaborative approach, working with and assisting website owners to comply with the regulations. Only if a site refuses to take steps to comply, will the ICO make use of its regulatory enforcement powers.
What does this mean for you as a website owner?
The ICO advises website operators to take the following steps in particular:
- to check the types of cookies and similar technologies being used and how they are being uses. This would include analysing which cookies are strictly necessary (for example for using online purchasing software) and might not need consent;
- decide how best to obtain consent such as the use of pop-ups, website headers or footers and links to cookie policies.
Users must be provided with clear and relevant information and given the option to control their choices relating to cookies.
About the author
Published: Wednesday 23rd January 2013
Categorised: Information Law